azure-pipelines.yml

trigger:
  branches:
    include:
      - main
      - refs/tags/*

resources:
  repositories:
    - repository: internal-templates
      type: github
      name: xamarin/yaml-templates
      endpoint: xamarin
      ref: refs/heads/main
    - repository: 1esPipelines
      type: git
      name: 1ESPipelineTemplates/1ESPipelineTemplates
      ref: refs/tags/release

parameters:
- name: OneLocSourceBranch
  default: refs/heads/main
- name: ApiScanSourceBranch
  default: refs/heads/main
- name: Skip1ESComplianceTasks
  default: false
- name: SignArtifacts
  default: false

variables:
- group: Xamarin-Secrets
- name: ApiScanSoftwareName
  value: VS
- name: ApiScanSoftwareVersion
  value: 17.10
- name: DisablePipelineConfigDetector
  value: true
- template: /yaml-templates/variables.yml@self

extends:
  ${{ if or(eq(variables['Build.Reason'], 'PullRequest'), eq('${{ parameters.Skip1ESComplianceTasks }}', 'true')) }}:
    template: v1/1ES.Unofficial.PipelineTemplate.yml@1esPipelines
  ${{ else }}:
    template: v1/1ES.Official.PipelineTemplate.yml@1esPipelines
  parameters:
    sdl:
      ${{ if eq('${{ parameters.Skip1ESComplianceTasks }}', 'true') }}:
        enableAllTools: false
      binskim:
        scanOutputDirectoryOnly: true
      codeql:
        runSourceLanguagesInSourceAnalysis: true
      suppression:
        suppressionFile: $(Build.SourcesDirectory)\.gdn\.gdnsuppress
      sourceAnalysisPool:
        name: AzurePipelines-EO
        image: $(WindowsPoolImage1ESPT)
        os: windows
    stages:
    - template: /yaml-templates/stage-build.yml@self

    - template: /yaml-templates/stage-test.yml@self

    - stage: Publish
      dependsOn: Build
      condition: and(eq(dependencies.Build.result, 'Succeeded'), eq(variables['System.TeamProject'], 'DevDiv'), or(startsWith(variables['Build.SourceBranch'], 'refs/tags/'), eq('${{ parameters.SignArtifacts }}', 'true'))) # only sign the packages when running on Windows, and using the private server which has the certificates
      jobs:
      - template: sign-artifacts/jobs/v2.yml@internal-templates
        parameters:
          usePipelineArtifactTasks: true
          use1ESTemplate: true
          signListPath: 'SignList.xml'

    - stage: Localization
      dependsOn: []
      condition: and(eq(variables['System.TeamProject'], 'DevDiv'), eq(variables['Build.SourceBranch'], '${{ parameters.OneLocSourceBranch }}'))
      jobs:
      - job: OneLocBuild
        displayName: OneLocBuild
        pool:
          name: AzurePipelines-EO
          demands:
          - ImageOverride -equals 1ESPT-Windows2022
        timeoutInMinutes: 30
        variables:
        - group: Xamarin-Secrets
        workspace:
          clean: all
        templateContext:
          outputs:
          - output: pipelineArtifact
            displayName: Publish Localization Files
            condition: succeededOrFailed()
            targetPath: $(Build.StagingDirectory)/loc
            artifactName: Loc
        steps:
        - checkout: self
          clean: true

        # https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-docs/1es-security-configuration/configuration-guides/pat-burndown-guidance#authentication-from-pipelines
        # Requires Azure client 2.x
        - task: AzureCLI@2
          displayName: 'Set AzDO.OneLocBuildToken'
          enabled: true
          inputs:
            azureSubscription: 'VSEng-AzureDevOps-ceapex-OneLocBuild'   # Azure DevOps service connection
            scriptType: 'pscore'
            scriptLocation: 'inlineScript'
            inlineScript: |
              # if this fails, check out this bash script that includes diagnostics:
              # https://gist.github.com/johnterickson/19f80a3e969e39f1000d118739176e62
              # Note that the resource is specified to limit the token to Azure DevOps
              $token = az account get-access-token --query accessToken --resource 499b84ac-1321-427f-aa17-267ca6975798 -o tsv
              Write-Host "##vso[task.setvariable variable=AzDO.OneLocBuildToken;issecret=true]${token}"

        - task: OneLocBuild@2
          displayName: OneLocBuild
          env:
            SYSTEM_ACCESSTOKEN: $(System.AccessToken)
          inputs:
            locProj: Localize/LocProject.json
            outDir: $(Build.StagingDirectory)
            packageSourceAuth: patAuth
            patVariable: $(AzDO.OneLocBuildToken)
            isCreatePrSelected: true
            repoType: gitHub
            gitHubPatVariable: $(github--pat--vs-mobiletools-engineering-service2)
            prSourceBranchPrefix: locpr
            isShouldReusePrSelected: true
            isAutoCompletePrSelected: false
            isUseLfLineEndingsSelected: true

    - stage: Compliance
      displayName: Compliance
      dependsOn: Build
      condition: and(eq(dependencies.Build.result, 'Succeeded'), eq(variables['System.TeamProject'], 'DevDiv'), eq(variables['Build.SourceBranch'], '${{ parameters.ApiScanSourceBranch }}'))
      jobs:
      - job: api_scan
        displayName: API Scan
        pool:
          name: Maui-1ESPT
          image: $(WindowsPoolImage1ESPT)
          os: windows
        timeoutInMinutes: 360
        workspace:
          clean: all
        steps:
        - task: DownloadPipelineArtifact@2
          displayName: download nuget artifact
          inputs:
            artifactName: nuget
            downloadPath: $(Build.StagingDirectory)
            itemPattern: '*.nupkg'

        - task: ExtractFiles@1
          displayName: Extract nuget
          inputs:
            archiveFilePatterns: $(Build.StagingDirectory)\**\*.nupkg
            destinationFolder: $(Build.SourcesDirectory)\nuget

        - task: CopyFiles@2
          displayName: Collect Files for APIScan
          inputs:
            Contents: |
              $(Build.SourcesDirectory)\nuget\**\?(*.dll|*.exe|*.pdb)
              !$(Build.SourcesDirectory)\**\runtimes\win-arm64\native\libzipsharpnative*.dll
            TargetFolder: $(Agent.TempDirectory)\T

        - powershell: Get-ChildItem -Path "$(Agent.TempDirectory)\T" -Recurse
          displayName: List Files for APIScan

        - task: APIScan@2
          displayName: Run APIScan
          inputs:
            softwareFolder: $(Agent.TempDirectory)\T
            symbolsFolder: 'SRV*http://symweb;$(Agent.TempDirectory)\T'
            softwareName: $(ApiScanSoftwareName)
            softwareVersionNum: $(ApiScanSoftwareVersion)
            toolVersion: Latest
          env:
            AzureServicesAuthConnectionString: runAs=App;AppId=$(ApiScanMAUI1ESPTManagedId)

        - task: SdtReport@2
          displayName: Guardian Export - Security Report
          inputs:
            GdnExportAllTools: false
            GdnExportGdnToolApiScan: true
            GdnExportOutputSuppressionFile: apiscan.gdnsuppress

        - task: PublishSecurityAnalysisLogs@3
          displayName: Publish Guardian Artifacts
          inputs:
            ArtifactName: APIScan Logs
            ArtifactType: Container
            AllTools: false
            APIScan: true
            ToolLogsNotFoundAction: Warning

        - task: PostAnalysis@2
          displayName: Fail Build on Guardian Issues
          inputs:
            GdnBreakAllTools: false
            GdnBreakGdnToolApiScan: true